Azure AD multi-tenant app vs single tenant app

2 minute read

I’ve recently noticed that Azure AD admins are being asked to create multi-tenant apps in their corporate tenant.

In some instances, it was the devs in the org asking for this, in other instances it was the application vendor.

Here are some things to watch out for 👇

Multi-tenant apps are meant for ISVs and SaaS vendors to create an instance of an app in ‘their own tenant’. Examples of such apps are ServiceNow and SalesForce.

When an app is created as a multi-tenant app, ANY user from ANY Azure AD tenant can visit the app’s url and sign in.

If you create a multi-tenant app in your corporate tenant and apply a conditional access policy. The policy only applies to users and guests in your tenant.

⚠️ I’ll repeat ➟ your CA policies do not apply to users signing into your multi-tenant app in their own tenant.

So, what is the general rule of thumb that Azure AD admins and cybersecurity teams should follow?

If the app is from a vendor/SaaS provider:

✅ Add the app to your tenant from the Azure AD Application Gallery

✅ If the app is not in the gallery, you as the customer can request the vendor to get their app listed on the Azure AD app gallery

✅ If app gallery is not an option, request the vendor to create the app in their own tenant. Use the admin consent model to add the app to your tenant.

✅ If the only option provided by the vendor is to create the app in your tenant, push for the vendor to allow you to create a single tenant app.

If the app is developed by devs in your org and is only meant for users in your own org.

✅ Ask why the dev needs this to be a multi-tenant app?

✅ Ask if the devs have implemented appropriate checks to prevent sign-ins from other tenants.

There are many valid scenarios for creating multi-tenant apps in your tenant, including

✅ You are a SaaS vendor or ISV and you create and publish apps that Azure AD customers can consume

✅ You manage multiple Azure AD tenants in your org and you need a single service principle (workload identity) to access the other tenants (e.g. automate DevOps tasks across your tenants)

Here are some further reading on the topic of multi-tenancy. These are meant for devs however its good reading for admins to appreciate what it takes to build a least-privilege multitenant app.



Note: This MSRC blog post provides additional guidance on how you can review the multi-tenant apps in your tenant and switch them to a single tenant app if multi-tenant is not a requirement.

Guidance on Potential Misconfiguration of Authorization of Multi-Tenant Applications that use Azure AD - MSRC Blog - Microsoft Security Response Center

Use a custom app for Graph PowerShell delegate access

1 minute read

If you want to follow the least privilege model for the applications in your Azure AD tenant, you might be concerned about consenting to many permissions scopes to the Microsoft Graph PowerShell app over time.

To avoid this, you can register your own app for use with Microsoft Graph PowerShell. This allows you to have more granular control.

Here are the steps to go about setting it up.

  • Browse to Entra > App registrations [] > New Registration
    • Name: Microsoft Graph PowerShell - High Privilege admin use only (<- Give a meaningful name)
    • Account type: Accounts in this organization directory
    • Redirect URI:
      • Select Public client/native from the drop down
      • Uri: http://localhost
    • Click Create

That’s it!

Now you can use this app instead of the default one by connecting with

Connect-MgGraph -ClientId <Your new app clientid> -TenantId <your tenant id>

Here are a few screenshots to help guide you.

Screenshot showing how the app should be created

Remember to use the ClientId and TenantId parameters when signing in.

Screenshot signing in with the new app in PowerShell

Restricted user access

I would also recommend limiting the users that have access to these Graph PowerShell applications. To do this browse to the Enterprise Applications [](] blade, select the app and in Properties set Assignment required? to Yes. Then grant access to the required folks from the Users blade.

Windows PowerShell 5.1

The steps above will get you working with PowerShell 7, which is what you SHOULD be using. In the unfortunate event that you are stuck with Windows PowerShell 5.1 you need to do one more thing.

  • Open the app you just created in App registrations []
  • Select Authentication
    • Check
    • Click Save

Azure AD and Microsoft Graph Extensions and Attributes

2 minute read

A comparison of the five different types of Microsoft Azure AD + Graph extensions and attributes.

  Extension Attributes 1-15 (aka onPremisesExtensionAttributes) Directory extensions / Custom extension properties (aka AAD extensions) Schema extensions Open extensions Custom security attributes
Audience IT Admins • Devs IT Admins • Devs Devs Devs IT Admins • Devs
Dynamic group membership rule
Conditional Access - Users and groups
Conditional Access - App Filter
Conditional Access - Device Filter
Admin user interface
Cross-Tenant synchronization
App user provisioning
Entitlement Management automatic assignment
Lifecycle Workflows execution conditions scope
External identities - Self-service sign up flow
Usable for customizing token claims
Requires AAD P1/P2 license
Azure ABAC
Block read access
Strongly typed
Support multi-valued attributes 1
Azure AD Connect and Cloud Sync
Supported resources user • device user • group • administrativeUnit • application • device • organization user • group • administrativeUnit • application • contact • device • event • message • organization • post user • group • contact • device • event • message • organization • post • todoTask • todoTaskList user • servicePrincipal
Data types String Binary • Boolean • DateTime • Integer • LargeInteger • String (256 char) Binary • Boolean • DateTime • Integer • String String Boolean • Integer • String
Max limits 15 per object 100 extensions across all types and all applications 100 per resource 2 per creator app per resource 50 per object • 500 attributes per tenant • More info
When to use • Simpler way to leverage on-prem data or Exchange data
• Wanting a simple string attribute on a user/device which can be used in multiple applications as a claim
• Extending AAD resources with more attributes
• Need more strongly-typed attributes than extension attributes 1-15
• With AAD Connect Sync, can also sync on-prem or SharePoint data
• To extend Graph resources
• Don’t require attributes as part of user authentication and as a claim
Directly add attributes to single Graph object, rather than through an extension schema Store confidential data
Key notes • Can only sync for users with onPremisesSyncEnabled
• Cannot be updated by Microsoft Graph unless users/devices are cloud only (not synced from on-prem)
• Extension is created on an app object, then target resource(s) are manually updated with value
• AAD Connect Sync uses directory extensions
Extension is created as stand-alone resource, then applied to object Simple setup and usage Built with security and least privilege

1 Multi-value support in directory extensions is limited to attributes synchronized from on-prem. It is not possible to create new multi-valued directory extensions in Azure AD.

Azure AD Shortcuts

1 minute read

NOTE: Check out The new and improved version of this.

I’m a command line guy and hate having to click to get to various Azure AD pages. Over time I created these shortcuts and thought you might find them helpful.

Here is how it works. Open a new tab and type{command}

Where shortcut is one of the commands below. Command Portal Blade ca Conditional Access pim Privileged Identity Management users Users groups Groups devices Devices apps Enterprise Applications appreg Application Registrations auth Authentication Methods Policies legacymfa Legacy MFA guests Guest Access Settings logs Sign in Logs xtap Cross Tenant Access Settings roles Azure AD Roles sspr Password Reset security Security mfaunblock MFA Unblock reviews Access Reviews score Secure Score license Licenses synclog AAD Connect Sync Errors adfslog ADFS Log consent Consents and Permissions support Support list List all these shortcuts

If you liked those here are some of my favourite Identity related shortcuts. Page Azure AD Portal Self Service Password Reset My Security My Apps My Account My Groups My Access Packages My Access Packages Alternative for My Security Graph Explorer Intune

Have I missed anything? Have new suggestions? Let me know at

Graph PowerShell Conversion Analyzer

1 minute read

Screenshot of Graph PowerShell Analyzer

Hey folks, I took part in a hackathon last week and built the Graph PowerShell Conversion Analyzer. Hopefully, this will help a bit as you upgrade your AzureAD & MSOnline PowerShell scripts to Graph PowerShell.

It’s very rough right now but I would love to hear your feedback.

Try it out at

You start by pasting in one of your old scripts that you want to upgrade to Graph PowerShell and clicking the Analyze button.

This will generate a report of all the Azure AD PowerShell and MSOnline commands that were found along with a mapping to its corresponding Graph PowerShell command. The sample generated will try to map the parameters to the new command.

This is where I still need to do a lot more work to make it really useful.

Screenshot of Analysis Report

Where possible you also get direct links to both the Graph PowerShell command reference as well as the Graph API reference (which usually has more relevant info).

No more hunting around and searching the docs!

Screenshot showing links to the docs

The last bit is where you the community can really help us and each other out. We’ve started an open repository of sample Graph PowerShell scripts at

We would love to make this the largest collection of Graph PowerShell sample scripts. It’s open to everyone to contribute so please share your scripts (even one-liners).

Screenshot of the Graph samples community

Let me know what you think. If you have any ideas on how this can be improved I’m all ears!